Russian hackers are targeting financial institutions in Europe and the United States with a nostalgia-laden gambling lure.
Two security agencies in Ukraine, CSIRT-NBU and CERT-UA, have warned of a new phishing campaign carried out by a threat actor they track as “UAC-0188.” This group is also known as “FRwL,” which is probably an abbreviation for “From Russia with Love,” a 1963 James Bond film.
The group sends phishing emails from “[email protected]”, posing as a medical center. The emails come with the subject “Personal Web Archive of Medical Documents” and carry a 33 MB attachment, a .SCR file hosted on Dropbox that contains code from a Python clone of the famous Minesweeper game for Windows. However, the clone also downloads additional scripts from a remote source which, after a few more steps, end up installing SuperOps RMM.
Abuse SuperOps RMM
SuperOps RMM, short for Remote Monitoring and Management, is a software platform designed to help managed service providers (MSPs) and IT professionals manage and monitor client's IT infrastructure remotely. It integrates various tools and functionalities to optimize IT operations, improve security, and improve efficiency.
The tool is legitimate, but it is often abused, similar to what happened to Cobalt Strike. SuperOps RMM gives attackers remote access to compromised systems, which they can then use to deploy more serious malware or information stealers, obtaining login credentials, sensitive data, banking information, and more.
IT administrators should monitor their network activity for the presence of SuperOps RMM, and if they don't normally use the software (or know they don't have it installed), they should treat the activity as a sign of compromise.
It was not said who the usual targets are or how many organizations the group managed to compromise.
Through beepcomputer
